{"id":91613,"date":"2023-03-29T17:34:53","date_gmt":"2023-03-29T12:04:53","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91613"},"modified":"2023-06-17T16:24:28","modified_gmt":"2023-06-17T10:54:28","slug":"deep-dive-into-royal-ransomware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/deep-dive-into-royal-ransomware\/","title":{"rendered":"Deep Dive into Royal Ransomware"},"content":{"rendered":"\r\n

The rise of ransomware and malware variants has been a growing concern for individuals and organizations alike. With new strains of malicious software emerging every day, the threat landscape has become increasingly complex and dangerous. Let’s delve into the world of ransomware and explore how we can protect ourselves against this ever-evolving threat<\/span>.<\/span><\/span><\/span><\/p>\r\n

Introduction<\/span><\/span>\u00a0<\/span><\/h3>\r\n

The Royal Ransomware was first observed in mid-2022. It is a type of ransomware that encrypts all volumes including network shared drives. The Royal Ransomware uses the\u201c.Royal\u201c, <\/b>and \u201c.Royal_w\u201d<\/b> extension on the encrypted files instead of some randomly generated extensions like other ransomware use. The group behind Royal Ransomware operates independently. The group drops the ransom note with the name README.TXT<\/b> which contains the unique \u201ctor\u201d<\/b> link for further communication with the attacker. This ransomware is distributed through torrent sites, malicious<\/a> attachments, and more. This ransomware uses the AES algorithm with the key and IV encryptions using the RSA. The encryption of the file is decided on the basis of the <\/span>\u201c-ep\u201d<\/b><\/span> parameter.<\/span><\/p>\r\n

Timeline of Ransomware<\/span><\/span>\u00a0<\/span><\/h3>\r\n

\"\"<\/p>\r\n

Timeline of Royal Ransomware<\/span><\/span><\/span><\/span><\/em><\/p>\r\n

T<\/span>echnical A<\/span>nalysis<\/span>:<\/span><\/span>\u00a0<\/span><\/h3>\r\n

On initial execution, the Royal ransomware takes the command line arguments; Path, id, and ep, where the id is a 32-bit array, and ep is the encryption percentage.<\/p>\r\n

\"\"<\/i><\/p>\r\n

Calling <\/span>cmd<\/span> with arguments<\/span><\/em><\/p>\r\n

Deletion of Shadow Copies:<\/span><\/b>\u00a0<\/span><\/h5>\r\n

Volume shadow copies are deleted to prevent system restoration.<\/span>\u00a0<\/span><\/p>\r\n

vssadmin.exe Delete Shadows \/All \/Quiet<\/span>\u00a0<\/span><\/p>\r\n

\"\"<\/i>Deletion of shadow copy<\/i><\/span><\/p>\r\n

Before the encryption process, it creates a list for the exclusion of extensions and directories which are further used by threads at the time of encryption. In the new variant. Royal_w and .Royal_u are added in the excluded extensions.<\/p>\r\n

\"\"<\/p>\r\n

L<\/span>ist of directories and <\/span>extensions<\/span> to be excluded from the encryption process<\/span>.<\/span><\/em><\/p>\r\n

 <\/p>\r\n

List of <\/span>e<\/span>xtensions <\/span>e<\/span>xcluded<\/span> –<\/span><\/span><\/p>\r\n\r\n\r\n\r\n\r\n\r\n
\r\n

.exe<\/p>\r\n<\/td>\r\n

\r\n

.dll<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

.bat<\/p>\r\n<\/td>\r\n

\r\n

.lnk<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

.royal<\/p>\r\n<\/td>\r\n

\r\n

.royal_w<\/p>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

 <\/p>\r\n

List of directories excluded –<\/p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n

windows<\/p>\r\n<\/td>\r\n

\r\n

royal<\/p>\r\n<\/td>\r\n

\r\n

$recycle.bin<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

google<\/p>\r\n<\/td>\r\n

\r\n

perflogs<\/p>\r\n<\/td>\r\n

\r\n

mozilla<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

tor browser<\/p>\r\n<\/td>\r\n

\r\n

boot<\/p>\r\n<\/td>\r\n

\r\n

$windows.~ws<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

$windows.~bt<\/p>\r\n<\/td>\r\n

\r\n

Windows.old<\/p>\r\n<\/td>\r\n

\u00a0<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

 <\/p>\r\n

File Encryption:<\/span><\/span>\u00a0<\/span><\/h4>\r\n

The ransomware uses the GetNativeSystemInfo API to retrieve the number of processors in a machine, then it multiplies the result by two and creates a number of threads.
These threads are responsible for the file encryption process.<\/p>\r\n

\"\"\"\"Thread creation<\/span><\/span><\/em><\/p>\r\n

With the help of Restart Manager, it checks if there are any files that are being used by the other processes.<\/p>\r\n

Royal ransomware uses the RmGetList APIs to verify which process is using the resources, and then, it compares it with explorer.exe. If the process is not explorer.exe, it calls the RmShutDown API to kill those processes.<\/p>\r\n

\"\"<\/i><\/p>\r\n

Process kill through\u00a0 <\/span>RmShutDown<\/span> API<\/span><\/span>\u00a0<\/span><\/em><\/p>\r\n

Royal Ransomware uses the RSA public key for encrypting AES key and IV. And the RSA Public key is embedded in the executable.<\/p>\r\n

\u00a0<\/p>\r\n

\"\"<\/p>\r\n

RSA Public Key<\/span><\/span><\/em><\/p>\r\n

It enumerates the Drives with the API call GetLogicalDrives and adds the README.TXT in each drive, as illustrated in the following images.<\/p>\r\n

\"\"<\/p>\r\n

Enumeration<\/span> of <\/span>Logical<\/span> Drives<\/span><\/em><\/p>\r\n

\"\"<\/p>\r\n

Readme file is created at A:<\/span><\/span><\/em>\\\\<\/span><\/span><\/p>\r\n

To compare the Directories and the Extension for the exclusion, it uses the API strstrIW. In the figure below the excluded directory and extensions are compared with the current directory and file respectively.<\/p>\r\n

 <\/p>\r\n

\"\"<\/p>\r\n

Comparing directory and extension to the Excluded list<\/span><\/span><\/em><\/p>\r\n

After the encryption through the AES algorithm, it uses the MoveFileExW API to append the extension \u201c.royal\u201d.<\/p>\r\n

\"\"<\/p>\r\n

Adding the <\/span>\u201c.royal<\/span>\u201d<\/span> extension<\/span><\/em><\/p>\r\n

The encryption is based on two parameters, i.e. file size and the value of ep. If ep is not provided, it encrypts based on the files size parameter, as per the following:-<\/span>\u00a0<\/span><\/p>\r\n